Viewing 35 posts - 1 through 35 (of 35 total)
  • The NSA, GCHQ and encryption.
  • Cougar
    Full Member

    The tinfoil hat brigade will love this.

    http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

    Shocking stuff.

    boxfish
    Free Member

    Not shocking, really. Moore’s law ensures the vulnerability of electronic comms to surveillance. Email is about as secure as the Post Office.

    GrahamS
    Full Member

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    DrJ
    Full Member

    boxfish – Member

    Not shocking, really. Moore’s law ensures the vulnerability of electronic comms to surveillance. Email is about as secure as the Post Office

    Not really – a truly random password of 16 characters is essentially uncrackable by any computer smaller than a planet. The rate at which the job gets harder just by adding one character far outstrips Moores Law.

    retro83
    Free Member

    DrJ – Member
    Not really – a truly random password of 16 characters is essentially uncrackable by any computer smaller than a planet. The rate at which the job gets harder just by adding one character far outstrips Moores Law.

    Not as simple as that, the algorithm may have flaws or backdoors engineered into it – IIRC the NSA already are known to have previous on doing exactly this. Sophisticated hardware such as FPGAs can also be used to massively accelerate the process beyond what’s possible with a normal CPU.

    Also this sounds like it isn’t really anything to do with passwords, but TLS/SSL i.e. for eaves dropping on connections to ‘secure’ sites (HTTPS).

    DrJ
    Full Member

    That was sort of my point – that just brute force is not enough, so Moore’s Law is of limited help. The spies need to cheat.

    (Bit more info here BTW)

    retro83
    Free Member

    DrJ – Member
    That was sort of my point – that just brute force is not enough, so Moore’s Law is of limited help. The spies need to cheat.

    Oh I see, (and I agree)

    rickmeister
    Full Member

    Dan Brown, Digital Fortress similarites me thinks…

    compositepro
    Free Member

    Didn’t they get a bit shifty with the guy who did PVP keys or is that just an old wives tale that they couldn’t break it

    gofasterstripes
    Free Member

    Huh. And there I was thinking one of the pros of shelling out for a Westmere chip was the on-the fly AES encryption…. hmmm if anyones implementations are compromised it’ll be Intel’s

    No mention of open source in that article, but in the comments TOR and TrueCrypt.

    Hmmmmmm indeed.

    wwaswas
    Full Member

    I was thinking about this and thought;

    “Open source encryption software would be relatively immune to this – it’s the keys that make it secure and if the source is visible then there can’t be backdoors”

    and then I thought;

    “They’ll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build.”

    It seems, at the moment, that it’s not being paranoid that’s the problem, it’s not being paranoid enough.

    and that ‘well if you’ve done nothign wrong you’ve got nothing to hide” argument is, frankly, bollocks – if you have no idea who is lookign at your online activity and why you have no basis for judging whether it is a threat to you or not.

    oldnpastit
    Full Member

    The Stasi would be amazed by what we’ve achieved…..

    Anyone know of a good alternative to gmail?

    gonefishin
    Free Member

    Didn’t they get a bit shifty with the guy who did PVP keys or is that just an old wives tale that they couldn’t break it

    Oh there was all sorts of problems with that. Without some sort of back door hack PGP is effectively unhackable, unless someone has come up with a short cut method of factoring for prime numbers. The maths behind it is actually deceptively simple. There is a section on it in Simon Singh “Code Book”

    deadlydarcy
    Free Member

    But have they found Fred’s new log-in yet?

    boxfish
    Free Member

    brute force is not enough

    No, on it’s own it isn’t, but if you have known vulnerabilities then processing oomph enables quicker exploitation of the holes.

    samuri
    Free Member

    This isn’t particularly new news unfortunately. Stories of commercial software with agency backdoors in have been circulating for years. PGP and TrueCrypt being the main headline ones.

    One of the points made in the article is that agencies may have been sitting on encrypted data waiting for computers to catch up so they could brute force it or wait for a vulnerability to be announced.

    Don’t forget it’s not the just the length of your password that makes it difficult to crack, the algorithm used to encrypt it is paramount. Stuff that was deemed effective years ago is now understood to be weak such as DES and WEP and even stuff that is still in regular use such as SSL is known to be vulnerable. We intercept and decrypt all SSL traffic leaving our company on the fly with a few exceptions (medical/banking etc).

    mrmonkfinger
    Free Member

    “They’ll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build.”

    Thank goodness we have open source compilers then.

    The NSA/GCHQ stuff appears to rely on nobbling the server’s private keys, so if you have some method where the private keys aren’t available (person – person PGP using short term keys) then its back to being unhackable (at least in a sensible timeframe). That’s just what the math dictates.

    Its a bit like car theft now. Cars are so difficult to break into, its far easier to pinch the keys by mugging the owner.

    Anyway, this kind of stuff has been going on for years, RSA was limited to 64 bits by the US so that they could hack it using brute force.

    http://en.wikipedia.org/wiki/Key_size

    wwaswas
    Full Member

    Thank goodness we have open source compilers then.

    and they’ll just put something in the firmware…

    samuri
    Free Member

    Thank goodness we have open source compilers then.

    the article suggests the NSA have been ‘influencing’ closed source vendors

    oldnpastit
    Full Member

    We intercept and decrypt all SSL traffic leaving our company on the fly with a few exceptions (medical/banking etc).

    How do you decrypt SSL? Is that simply by playing around with the CAs that the computers in your organization trust and then doing a MITM attack? Surely not brute-forcing the secret keys?

    Cougar
    Full Member

    Didn’t they get a bit shifty with the guy who did PVP keys

    Yeah. He accused them of “camping” and “greifing” him. In an offical statement, they replied “less QQ, moar pew pew”.

    This isn’t particularly new news unfortunately

    It is in so far as it’s backed up with facts rather than conspiracy-theory speculation.

    somouk
    Free Member

    How do you decrypt SSL? Is that simply by playing around with the CAs that the computers in your organization trust and then doing a MITM attack? Surely not brute-forcing the secret keys?

    Exactly that… Publish a new root cert via AD.

    I work with proxies that do MITM attacks on a daily basis and I have no doubt the American and maybe British security services have a high level Root CA that they can use to decrypt and re-encrypt SSL traffic if they feel the need to snoop.

    All the other stuff probably has manufactured flaws.

    samuri
    Free Member

    Yes, MITM but SSL is historically flawed anyway which has been known for a long time

    It is in so far as it’s backed up with facts rather than conspiracy-theory speculation.

    Well I’m still seeing no real evidence here but there’s plenty of evidence from leading security commentators (Schneider et al) that TrueCrypt has deliberately been nobbled going way back.

    purpleyeti
    Free Member

    the thing about mitm attacks is you need to be set up to intercept the traffic in the first place.the information available seems to be more hinting at they can retrospectively decrypt, which more points to either flaws in encryption algorithms or backdoors. also the point about passwords being longer=stronger is not correct. password is only as good as the way it’s hashed, they are very really encrypted as it’s not the securest way of storing and using them.

    mikewsmith
    Free Member

    The software is not the weak link in all of this… https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

    footflaps
    Full Member

    Deliberately forcing companies to either weaken the encryption or leave back doors everywhere is pretty poor, as it weakens security for everyone. Eventually some criminal gangs will spot a back door and then hack all our bank traffic online etc. The government can always get access to specific data via court orders, so there is no need to undermine all encryption on the web.

    molgrips
    Free Member

    The NSA, now:

    Things are bad. And I’m not overly worried about people reading my emails, but the flouting of the principles behind laws is more worrying.

    Rio
    Full Member

    The government can always get access to specific data via court orders, so there is no need to undermine all encryption on the web

    I think a court order against, say, a suspected terrorist might (a) be ineffective and (b) give away the fact that they’re being monitored.

    footflaps
    Full Member

    I think a court order against, say, a suspected terrorist might (a) be ineffective and (b) give away the fact that they’re being monitored.

    They do it all the time and the suspect wouldn’t be told. The order would be between GCHQ / Police and the relevant company eg Vodafone, Google, your bank etc.

    purpleyeti
    Free Member

    c, if they are using one time encryption get them nowhere

    Drac
    Full Member

    [video]http://www.youtube.com/watch?v=1U8KsQPIrY0[/video]

    elliptic
    Free Member

    They’ll just get the people who write the compilers to insert code that looks for particular sequences of source and inserts the back door during a build.

    Thank goodness we have open source compilers then.

    Actually… it turns out you can still hide a backdoor in an open source compiler:

    http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
    http://cm.bell-labs.com/who/ken/trust.html

    Houns
    Full Member

    People are surprised by this?

    Rio
    Full Member

    They do it all the time and the suspect wouldn’t be told. The order would be between GCHQ / Police and the relevant company eg Vodafone, Google, your bank etc.

    Those requests are for for intercepting communications, which is a separate issue from weakening crypto or putting in back doors. A RIPA request may result in a load of ciphertext, at which point you either serve a notice to try to get the keys or more likely exploit one of those weaknesses/back doors.

    mikewsmith
    Free Member

Viewing 35 posts - 1 through 35 (of 35 total)

The topic ‘The NSA, GCHQ and encryption.’ is closed to new replies.